hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
21,517 Commits 1,671 Branches 157 Tags
sauyon/java-spring-stringutils
Commit Graph

1740 Commits

Author SHA1 Message Date
Joe Farebrother
d69ecde5c1 Java: Add additional flow steps for guava collection methods and more unit tests 2021-01-25 16:37:40 +00:00
Joe Farebrother
7e11d8ed07 Java: Add modelling for guava Sets 2021-01-25 16:37:40 +00:00
Joe Farebrother
d1427fcd93 Java: Add modelling for Guava's collection classes 2021-01-25 16:37:40 +00:00
Artem Smotrakov
8d701e604a Simplified JexlInjectionLib.qll 
- Merged multiple method definitions to DirectJexlEvaluationMethod
- Don't use TaintPropagatingJexlMethodCall field in JexlInjectionConfig
- Better variable names in JexlEvaluationSink
 2021-01-25 14:17:51 +01:00
Chris Smowton
d34233b44f Rewrite XQuery injection to use an additional taint step instead of multiple configurations. 
Also remove a needless barrier -- the method in question doesn't conduct taint by default, so excluding particular instances of that call is not necessary.
 2021-01-25 11:18:45 +00:00
haby0
16308fe557 Update java/ql/src/Security/CWE/CWE-652/XQueryInjectionLib.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-01-25 19:16:18 +08:00
haby0
14a23eed4f Update java/ql/src/Security/CWE/CWE-652/XQueryInjectionLib.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-01-25 19:15:59 +08:00
Francis Alexander
75b79039a1 Example fixes 2021-01-24 20:46:37 +05:30
Francis Alexander
81e372d078 Formatting changes 2021-01-24 20:44:21 +05:30
Francis Alexander
a64fc2b24e Java: Queries to detect remote source flow to CORS header 2021-01-24 18:58:39 +05:30
Artem Smotrakov
71e5cb45d3 Simplified method and class definitions for JEXL 2021-01-23 19:50:16 +01:00
Artem Smotrakov
03348b18b5 Simplified TaintPropagatingJexlMethodCall 2021-01-23 19:41:14 +01:00
Artem Smotrakov
a47147bc5e Simplify sinks in JexlInjectionLib.qll 2021-01-23 19:22:43 +01:00
Artem Smotrakov
28ebbee61d Added TaintPropagatingJexlMethodCall class 2021-01-23 17:42:04 +01:00
haby0
0b326aae20 *)update XQueryInjectionLib.qll 2021-01-23 18:27:38 +08:00
haby0
44d99f8cd4 *)update XQueryInjection.ql 2021-01-23 18:26:58 +08:00
haby0
ec4c155043 *)update XQueryInjection.qhelp 2021-01-23 18:26:15 +08:00
Artem Smotrakov
73c8338e52 Use <code> tag in JexlInjection.qhelp 2021-01-21 22:49:36 +01:00
Artem Smotrakov
ee6d28b562 Use LocalUserInput when looking for JEXL injections 2021-01-21 22:46:18 +01:00
Artem Smotrakov
8166e269ec Added examples of a sandbox for JEXL expressions 2021-01-21 20:53:15 +01:00
haby0
a56dd60baa *)add CWE-652 XQueryInjection detection 2021-01-21 19:18:10 +08:00
Artem Smotrakov
7df813354a Improved JexlInjectionLib.qll 2021-01-20 20:26:48 +01:00
Luke Cartey
5c6f5b7b33 Java: Track taint through Spring Java bean getters on super types 2021-01-20 16:53:03 +00:00
Anders Schack-Mulligen
dde8d320f3 Apply suggestions from code review 
Minor qldoc fixes.
 2021-01-19 08:24:24 +01:00
luchua-bc
b9809b071e Update the query to work with wrapper classes 2021-01-18 19:22:34 +00:00
Marcono1234
703336a77f Add ArrayInit.getSize(), improve documentation 2021-01-18 16:44:53 +01:00
luchua-bc
048167d39a Revamp the query to reduce FPs introduced by wrapper calls 2021-01-18 04:23:30 +00:00
Artem Smotrakov
7d2d27394b Java: Added a source and a taint step for JexlInjectionConfig 
- Added TaintedSpringRequestBody source
- Added returningTaintedDataFromBean() taint step
- Added tests
 2021-01-17 22:28:42 +01:00
Artem Smotrakov
99401f6e84 Java: Query for detecting JEXL injections 2021-01-17 14:19:26 +01:00
luchua-bc
3af8773dd6 Add more cases 2021-01-15 16:20:31 +00:00
luchua-bc
32c54628f8 Drop fieldName from the function for runtime evaluation 2021-01-15 12:33:00 +00:00
luchua-bc
e5a703e49c Revamp the query 2021-01-15 04:05:11 +00:00
intrigus-lgtm
b8076481bf Java: Suggestions from Review 2021-01-13 20:32:23 +01:00
Anders Schack-Mulligen
f3b8fe2e2e Java: Add Member.hasQualifiedName. 2021-01-13 13:42:35 +01:00
Anders Schack-Mulligen
29935e1388 Merge pull request #4771 from intrigus-lgtm/split-cwe-295 
Java: Add unsafe hostname verification query and remove existing overlapping query
 2021-01-13 11:31:38 +01:00
luchua-bc
babe744a30 Add SECURITY_PROTOCOL check 2021-01-13 03:49:08 +00:00
intrigus
5b3086a93a Java: Fix capitalization of JxBrowser 2021-01-12 22:43:41 +01:00
intrigus
1ebc9f4d93 Java: Only detect JxBrowser < 6.24 2021-01-12 22:39:08 +01:00
intrigus
1901f6bf55 Java: Make @id @name of query more similar. 2021-01-12 15:36:55 +01:00
intrigus
9b3070ab7c Java: Add JXBrowser disabled certificate query. 2021-01-12 14:48:22 +01:00
intrigus
85286f362c Java: Replace global flow by local flow 2021-01-11 19:02:07 +01:00
intrigus-lgtm
722bd4dafa Java: Revise qhelp 2021-01-11 18:57:24 +01:00
intrigus-lgtm
4cfdb10ddc Java: Improve QLDoc & simplify code 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-01-11 18:50:43 +01:00
luchua-bc
86c04e6971 Detect the scenario of passwords concatenated with a salt to reduce FPs 2021-01-11 16:59:57 +00:00
intrigus
5c1e746c96 Java: Rename to EnvReadMethod 2021-01-11 13:42:08 +01:00
intrigus
1eb2b75389 Java: Further reduce FPs, simply Flag2Guard flow 2021-01-11 13:42:08 +01:00
intrigus
b4692734b2 Java: Add QLDoc improve query message 2021-01-11 13:42:08 +01:00
intrigus-lgtm
f4b912cd8a Apply suggestions from doc review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-01-11 13:42:08 +01:00
intrigus
e11304a1ca Java: Autoformat 2021-01-11 13:42:08 +01:00
intrigus-lgtm
b8f3e64a0f Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-01-11 13:42:08 +01:00